How might the feds have snooped on Lavabit?

Going on record to say that I've never received an NSL. If I do get one, I'll be unable to confirm or deny that I have.

Someone clearly didn't think that through.

Your point brilliantly proves just how stupid people who make rules often are. Now they need a law that prohibits anyone from ever commenting about National Security Letters whether or not they have received one.

So set up with an "accomplice" (to make this sound suitably shady and nasty and whatnot) or accomplices to exchange emails regularly once a week/month/whenever, asking "have you been served with an NSL?", and agree to always answer "no" if you have not. If you either answer "I cannot say" or don't answer at all, your accomplice knows you've been served.

They really need a law prohibiting anyone from ever asking the question. I think by that point, free speech will have been sufficiently trampled to declare this a Police State.

"I have been told that they cannot change your fundamental business practices," said Callas,

I think the immunity Congress was forced to grant to all of the telecoms in 2008 shows he underestimates the power of the NSA to not only compel a change to an existing business practice, but also to break the law.

You're assuming that the telcos had any objection. My understanding is that the the telcos not only didn't have such objections -- but at least some of them were pathetically eager to provide anything the NSA wanted or might want.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.

If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

The ability for the US government to compel you to turn over passwords or other keys is hotly debated and the courts are by no means settled on it.

It is the compelling of the third party to produce my documents I disagree with. There are already penalties in place should the subject of a warrant hinder investigation or destroy/hide evidence.

It implies a ban on privacy.

The Lavabit story is even bigger than the Snowden leaks IMHO.

People just don't understand this. I was somewhat waiting and bracing for the possibility that Federal agencies are doing the exact thing spelled out in this article. I didn't think it would actually come to this.

I can not back away from more chilling this is. If I think I have a grasp on how far reaching this is, I think again and am proven wrong. There absolutely is no other possible implication of the Lavabit shutdown. It's a boiler-plate company. Straight forward, we have a company that provides encrypted services to users. They don't have the ability to give user information. They were requested something, which we don't know, and they had to shut down.

That should not have happened! There's no secret about the services that Lavabit was providing. So you get an order. Wham, bam, hand over the requested data. Such a company is BUILT to do this.

A correct reading of this article gives a clear picture - unless you understand cryptography and compile the encryption code yourself, you can not trust any 3rd party service to be private. Read that sentence again. This isn't a little insane, this is supposed to be like Chemtrails kind of insane. A ban on privacy itself is a hop and a skip away from a belief that government is coming to assassinate me right now. If a ban on privacy isn't one of the most loopy insane things you've ever heard, you haven't understood it yet.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

The ability for the US government to compel you to turn over passwords or other keys is hotly debated and the courts are by no means settled on it.

The courts are not settled on it because many courts are so far removed from their primary job- enforcing the US Constitution. 5th Amendment in simpleze is that you do not have to tell on yourself or provide evidence against yourself.

The courts have it wrong and should be ashamed. Under the 5th Amendment, you should not have to provide passwords, urine, blood, breath, or say jack shit ever. It is up the government to prove you guilt beyond a reasonable doubt after an indictment based upon probable cause.

The other problem with the courts is that they are protecting the executive branch with super immunity from civil suit. If the DOJ would throw government employees in prison for violating the US Constitution, this stuff would stop- Immediately! If people could sue and get millions in damages for this type of tyranny or police brutality, this crap would stop- Immediately! Starve the beast...

Crusty: I don't understand your point...'starve the beast' is wingnut terminology as applied to our federal government. Wingnuts are typically for tort reform (i.e. they're against lawsuits that move money from wealthy to poor [which doesn't make sense to me because many wingnuts are lower-middle-class]).

"I have been told that they cannot change your fundamental business practices," said Callas,

I think the immunity Congress was forced to grant to all of the telecoms in 2008 shows he underestimates the power of the NSA to not only compel a change to an existing business practice, but also to break the law.

Yes, once you open the Pandora's box where they can make the law whatever they want it to be, all bets are off. I'm hoping the outcry will slow them down, but I doubt they can be stopped. They have been exposed employing illegal and unconstitutional means, and what happened? Nothing, they are going about business as usual.

It is most definitely NOT business as usual. The president has publicly declared plans to review the NSA's activities, their legal justifications for those activities and similar bits of info. Portions of the court ruling that allows this warrantless spying have been declassified, and a bill to severely limit the NSA's spying powers nearly passed Congress.

Stuff happens very slowly when courts are involved. Look at how long it took to stop Prenda, and there was no ambiguity about the legality of their (accused) actions. Give the executive branch a few months to realize this stuff isn't blowing over, the congressional branch time to build a bipartisan agreement and the judicial time to ponder and debate the legalities.

The Supreme Court hasn't yet rejected one privacy group's (the EFF, I think) petition for them (the supreme court) to review the legality of the FISC's ruling.

What really frightens me most is that I believe that ten years down the road into the future we're gonna be looking back on the present with nostalgia, as a time when the NSA and company was comparatively limited in scope, reach, powers, capabilities, etc., because of the pace of technological change.

"I have been told that they cannot change your fundamental business practices," said Callas,

I think the immunity Congress was forced to grant to all of the telecoms in 2008 shows he underestimates the power of the NSA to not only compel a change to an existing business practice, but also to break the law.

Yeah, if they hadn't granted immunity the teleco's would've been forced to not comply and take their chances in court. Lawsuits from every corner were beginning to brew. With our various appellate courts leaning left and right this would've reached the Supreme Court. It more than likely would've reached a 5-4 split, the outcome would be anyone's guess.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

Who says? That is not what "warrants" are for. Warrants have historically fallen under the following categories:1. Search2. Arrest3. Execution;4. Dispossessory/eviction5. CommittalTheses do not include forcing a potential criminal suspect to tell on themselves. ie turn over passwords.

They aren't forcing anyone to tell on themselves. They are basically asking your landlord to give them access to your apartment without a normal warrant.

There's a hell of a lot of noise being made about this and the Snowden releases (and government responses to them) that doesn't appear to be going away - it's not just limited to civil liberties groups, it's coming up in general conversation even. Not sure this analogy holds.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

Who says? That is not what "warrants" are for. Warrants have historically fallen under the following categories:1. Search2. Arrest3. Execution;4. Dispossessory/eviction5. CommittalTheses do not include forcing a potential criminal suspect to tell on themselves. ie turn over passwords.

They aren't forcing anyone to tell on themselves. They are basically asking your landlord to give them access to your apartment without a normal warrant.

Which would be illegal. A rented residence is covered by the fourth even with the owners permission.

My new business policy: Any government mail will be scanned and posted to the internet before being read.

I don't believe NSLs generally come via the USPS. I think they are typically hand delivered by a spook messenger who is likely accompanied by some intimidating coworkers. It's quite likely that they also monitor you and anyone you have had contact with within a certain period of time to ensure that there is a minimal chance of other witnesses.

Running a site that promises not to store secrets, and then logging them anyway is outright fraud. Perhaps the black letter of the law say that some official can order someone to do it, and then in some legal sense is not fraud.

But just the rule of lawyers masquerading as the rule of law. I thank Mr. Levinson for fighting that.

Why weren't the hashing / encryption / decryption operations on the text performed locally by Javascript (eg, CryptoJS library) , with plaintext metadata, and that metadata was then encrypted on the server? That should guarantee that the worst the government could require would be metadata decryption -- not great, but better than nothing at all.

Hell, the JS file and composition window could even have an SHA512 provided on-page so that it could be ensured that no changes to the codebase there could happen without the users knowing, meaning it would be obvious that changes had occurred in the code that moves the messages from your browser instance to the server (unless the NSA could manipulate the code to move the encryption server-side in either the JS file or the composition page's HTML in a way that hits a collision in SHA512, which, to my knowledge, has no collision-attack holes yet)

They have been exposed employing illegal and unconstitutional means, and what happened? Nothing, they are going about business as usual.

Worse than nothing, they have quite literally been chastised by millions for illegal, immoral and unpopular actions. They have, for all intents and purposes, turned around and said "No, it's fine. This is legal, it's in your best interests, we're going to keep doing it whether you want it or not."

They are now acting almost certainly outside the law, they are definitely acting against the wishes of the majority, they are doing it all with impunity and on top of all this it's funded with money taken from the public.

However this ends, it's going to be interesting.

The only point I disagree with you on is this: "However this ends, it's going to be interesting." If it ends as I suspect, with little more than cosmetic change and further witch-hunts for whistleblowers, it won't be "interesting" it will be sad to the point of tragic, because it will mean the furtherance of this 1984ish, Kafkaesque, Surveillance State, with the people at the top, in the secret police role, thinking they're doing the right thing while sinking deeper into their KGB-like roles of "protecting the state" (which really means protecting the power structure and "little people be damned", IOW, a Police State).

This is a strong move towards the ultimate loss of all your rights when confronted by the power of the government. That's not interesting to me. It's fucking scary.

OK... so the government can order you not to talk about these "security letters." But... can the government compel you to lie?

In my mind (naive perhaps), an answer such as "I can neither confirm nor deny" is a lie by omission and by that logic, the government is compelling you to lie. You never signed any sort of "Federal NDA." How can you be bound by a contract you never agreed to? (yeah... Patriot Act... I know... but I think you get my drift.)

Sure, maybe the feds can tell you you can't reveal the details of whatever is in the letter, but can they force you to lie when asked direct yes/no questions?

OK... so the government can order you not to talk about these "security letters." But... can the government compel you to lie?

In my mind (naive perhaps), an answer such as "I can neither confirm nor deny" is a lie by omission and by that logic, the government is compelling you to lie. You never signed any sort of "Federal NDA." How can you be bound by a contract you never agreed to? (yeah... Patriot Act... I know... but I think you get my drift.)

Sure, maybe the feds can tell you you can't reveal the details of whatever is in the letter, but can they force you to lie when asked direct yes/no questions?

Evidently, yes. Whether or not that is constitutional is another matter, but they've set up a rube-Goldbergesque legal system to make it effectively impossible to challenge an NDA in court, so the SCOTUS hasn't ruled on it.

It strikes me that the voluntary closure of Lavabit was a success for the NSA, and everything about the closure - will have been anticipated and factored in. It was important for it not to close quietly, or the users of other encrypted email services would not now be feeling slightly nervous about their security.

We are watching them systematically closing the net on Ed Snowden. He now knows he cannot trust any encrypted email services (the fact that he used Lavabit showed he trusted it). He also knows that any individual even vaguely connected with him is being tracked through their international travel and will be stopped and interrogated on the slightest suspicion they might be carrying any communication.

If things are encrypted such that you do not have access to the plaintext of the documents, the only thing you can do is hand over the cyphertext. If it were obstruction of justice to be unable to comply with a warrant, we'd be able to put people in prison for not handing over a unicorn.

I believe this is exactly what the United Kingdom has in the form of RIPA law: they can demand you give them key to your encrypted data and if you don't comply, they can imprison you for years.

If things are encrypted such that you do not have access to the plaintext of the documents, the only thing you can do is hand over the cyphertext. If it were obstruction of justice to be unable to comply with a warrant, we'd be able to put people in prison for not handing over a unicorn.

I believe this is exactly what the United Kingdom has in the form of RIPA law: they can demand you give them key to your encrypted data and if you don't comply, they can imprison you for years.

I'm aware of that, it's a terrible law primarily in that they can imprison you even if you can prove you do not and never have had the key. That is not (yet) the case in the US, though. In theory the fifth amendment should protect one against having to divulge the key as it would be testimony against oneself, but this interpretation is being fought tooth and nail as it would be incredibly inconvenient for the US government not to be able to compel testimony.

Edit: It can in fact get you sent to prison even if they can't prove there is any encrypted data. If it were white noise or a jpg that they were 'certain' contained steganography, you could go to prison for not handing over the key which does not exist.

don't get them interested in you. with this they can back calculate crime, minority report in reverse. guilt by association and inference

The only way to not attract their attention is by being a sheep and following everything they say to the letter.

It looks like nowadays being a terrorist means to think and express your own ideas even when they differ from what the 'world' thinks is correct. The nerve! Who do I think I am to wish freedom of speech and freedom of thinking?

So yeah, add me to your "terrorist list", see how much I care.

You can come to Barcelona and pick me up if you want, but I'm no one (at the moment... give me time ^_^ )

"I have been told that they cannot change your fundamental business practices," said Callas,

I think the immunity Congress was forced to grant to all of the telecoms in 2008 shows he underestimates the power of the NSA to not only compel a change to an existing business practice, but also to break the law.

You're assuming that the telcos had any objection. My understanding is that the the telcos not only didn't have such objections -- but at least some of them were pathetically eager to provide anything the NSA wanted or might want.

Wouldn't it be possible to send encrypted e-mails by sending an attachment that has been encrypted by, for example, Truecrypt? In this case, nothing would be stored on the server except the encrypted attachment itself, and therefore the need for an encrypted e-mail provider is obviated because the attachment could be sent by "normal" e-mail.

Wouldn't it be possible to send encrypted e-mails by sending an attachment that has been encrypted by, for example, Truecrypt? In this case, nothing would be stored on the server except the encrypted attachment itself, and therefore the need for an encrypted e-mail provider is obviated because the attachment could be sent by "normal" e-mail.

Unless you're worried about metadata, and if you're not, then PGP accomplishes pretty much the same thing.

Just wait till they decide its in the public's interests to go after the CA for a particular site and they can't confirm or deny they've done it.

How do tou know this is not exactly what happened here? Has anyone asked?

My guess is the the NSA, GCHQ and their French, Russian and Chinese equivilents + various others (including various gangsters) already have keys to every well established root CA.

It would seem like the first thing anyone would do with an NSL, yeah.

The whole certificate authority model is now clearly pointless, and it was hanging by a thread as it was. It simply does not work. Even if you trust certain CAs, and believe they manage their systems well, you can't be sure that they haven't received an NSL (or other equivalent) which completely compromises their service.

Ladar: the article says you have a "passion for open-source software". If you want to truly annoy the NSA, release the lavabit source code. The public will be grateful, and your actions will not be forgotten.